FrameScript-functions and warden

[Cromon]

Hello there!

Im working on my inproc wrapper for all the LUA-stuff. Thus im creating an empty 0-sized frame which listens for events. Im also detouring FrameScript::InvalidPtrCheck to not get in trouble when a function is called that was previously registered using FrameScript::RegisterFunction.

The code i use is the following:

Code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;

namespace Framework.LUA
{
    public class EventManager
    {
        public EventManager()
        {
            IntPtr origPtrCheck = new IntPtr(Memory.Native.ModuleBase.ToInt32() + (int)LUAOffsets.funInvalidPointerCheck);
            PtrCheckNew = OnPointerCheck;

            PointerCheckDetour = new Memory.Detour<InvalidFunctionPointerCheckDlg>(origPtrCheck, PtrCheckNew);
            if (!PointerCheckDetour.Enable())
            {
                Console.WriteLine("Unable to enable detour!");
                throw new InvalidOperationException("Unable to write detour!");
            }

            eventHandler = OnEvent;
            tramp = LUAFunctions.CreateLuaTrampoline(eventHandler);
            LUAFunctions.FrameScript_RegisterFunction("theEventHandler", tramp);

            mEventScript.Lines.Add("local f = CreateFrame(\"FRAME\", \"EventFrame" + this.GetHashCode() + "\", UIParent);");
            mEventScript.Lines.Add("f:SetWidth(0);");
            mEventScript.Lines.Add("f:SetHeight(0);");
            mEventScript.Lines.Add("f:RegisterEvent(\"TIME_PLAYED_MSG\");");
            mEventScript.Lines.Add("f:RegisterEvent(\"CHAT_MSG_SAY\");");
            mEventScript.Lines.Add("f:RegisterEvent(\"UNIT_SPELLCAST_SUCCEEDED\");");
            mEventScript.Lines.Add("f:SetScript(\"OnEvent\", theEventHandler);");

            mEventScript.Execute();
        }

        public int OnEvent(IntPtr state)
        {
            var luas = new LUAState(state);
            for (int i = 1; i <= luas.NumArguments; ++i)
            {
                if (luas.ArgumentTypes[i] == LUATypes.String)
                {
                    string str = luas.Get<string>(i);
                    Console.WriteLine("string arg{0} = {1}", i, str);
                }
            }
            return 0;
        }

        private int OnPointerCheck(IntPtr function)
        {
            if (function == tramp)
                return 1;

            return (int)PointerCheckDetour.CallDetoured(function);
        }

        delegate int EventDelegate(IntPtr state);

        [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
        delegate int InvalidFunctionPointerCheckDlg(IntPtr function);

        InvalidFunctionPointerCheckDlg PtrCheckNew;

        EventDelegate eventHandler = null;
        IntPtr tramp;
        Memory.Detour<InvalidFunctionPointerCheckDlg> PointerCheckDetour;


        LUAScript mEventScript = new LUAScript();
    }
}

Now my question is:
Does anybody of the guys that studied warden know if it check if InvalidPtrCheck was changed? I must confess that im not that much into warden so far but from the name and the code InvalidPtrCheck is executing ive got the feeling that if id be blizzard id check that function.

Thanks for any thoughts or responses on that!

Greetings
Cromon

[jjaa]

Warden has scanned for those invalid ptr checks in the past (i think it was actually the data that stored the end of the .text segment). That's why most people write a code cave in the .text segment that jumps out to their function.

[caytchen]

Or just not register a new function at all. Anyway, if you still want to do it, don't change the bad function pointer check, but just register a jmp to your function that you write to a code cave to pass the check.

[Cypher]

Whilst jjaa and caytchen are both correct, there is a slightly better 'public' way to do it. Register a callback inside the .text section that when called will cause an exception to be raised (interrupt, invalid instruction, access violation, etc etc). Then you can use VEH to catch this exception when your fake callback is called, and redirect to your real callback. That way you don't need to modify WoW at all, not even to write a jump to a 'code cave' (which I beleive is something that caused HB to get detected a while back -- I can't remember 100% as it was quite a while ago, so don't quote me on that).

[amadmonk]

...or don't register a callback at all and use a userdata bridge

[Cypher]

...or don't register a callback at all and use a userdata bridge

**** that. Lazy way ftw.

[Cromon]

Whilst jjaa and caytchen are both correct, there is a slightly better 'public' way to do it. Register a callback inside the .text section that when called will cause an exception to be raised (interrupt, invalid instruction, access violation, etc etc). Then you can use VEH to catch this exception when your fake callback is called, and redirect to your real callback. That way you don't need to modify WoW at all, not even to write a jump to a 'code cave' (which I beleive is something that caused HB to get detected a while back -- I can't remember 100% as it was quite a while ago, so don't quote me on that).

That sounds interesting! So for example registering 0x40269D (not rebased) as function which is just alignment and filled with int 3 (0xCC) and catch exceptions using VEH and if exception location is 0x40269D and the exception code is first chance exception call my callback, is that right?

About other suggestions:
As the whole project is only to improve my skills and not aiming to write a bot ill try to implement each of them if possible as every accomplished thing is a learned thing

[Cypher]

That sounds interesting! So for example registering 0x40269D (not rebased) as function which is just alignment and filled with int 3 (0xCC) and catch exceptions using VEH and if exception location is 0x40269D and the exception code is first chance exception call my callback, is that right?

About other suggestions:
As the whole project is only to improve my skills and not aiming to write a bot ill try to implement each of them if possible as every accomplished thing is a learned thing

Your terminology is slightly off, but yes, you seem to have the basic concept down. It's not very difficult to do, give it a try!

[suicidity]

You could also destroy unchecked pointers to use a VEH hook, but be careful.